[libcamera-devel] [PATCH v2 14/17] v4l2: v4l2_camera_proxy: Check arg->index bounds for querybuf, qbuf, dqbuf

[Paul Elder]

There were no bounds checks for the index argument for VIDIOC_QUERYBUF,
VIDIOC_QBUF, and VIDIOC_DQBUF. Add them.

Signed-off-by: Paul Elder <paul.elder at ideasonboard.com>
Reviewed-by: Jacopo Mondi <jacopo at jmondi.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart at ideasonboard.com>

---
No change in v2
---
 src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp
index 2723450..8396f58 100644
--- a/src/v4l2/v4l2_camera_proxy.cpp
+++ b/src/v4l2/v4l2_camera_proxy.cpp
@@ -540,6 +540,9 @@ int V4L2CameraProxy::vidioc_querybuf(V4L2CameraFile *cf, struct v4l2_buffer *arg
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_querybuf fd = " << cf->efd();
 
+	if (arg->index >= bufferCount_)
+		return -EINVAL;
+
 	int ret = lock(cf);
 	if (ret < 0)
 		return ret;
@@ -560,6 +563,9 @@ int V4L2CameraProxy::vidioc_qbuf(V4L2CameraFile *cf, struct v4l2_buffer *arg)
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_qbuf, index = "
 			       << arg->index << " fd = " << cf->efd();
 
+	if (arg->index >= bufferCount_)
+		return -EINVAL;
+
 	int ret = lock(cf);
 	if (ret < 0)
 		return ret;
@@ -586,6 +592,9 @@ int V4L2CameraProxy::vidioc_dqbuf(V4L2CameraFile *cf, struct v4l2_buffer *arg)
 	if (!vcam_->isRunning())
 		return -EINVAL;
 
+	if (arg->index >= bufferCount_)
+		return -EINVAL;
+
 	int ret = lock(cf);
 	if (ret < 0)
 		return ret;
-- 
2.27.0